<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Gal:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> I had seen the brute force blueprint and noticed how close the use case was. Can you tell me the current status of the work? Do you feel confident it
can get into Liberty? Ideally, we think this fits better with QoS. Also I don’t think of it as providing FWaaS as we see that all VMs would be protected by this when enabled, but maybe that is just terminology. We think these protections are critical so
we are more concerned with having the ability to protect against these cases than the specific API or service it falls under. Yes we would be interested in working together to get this pushed through.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> John<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Gal Sagie [mailto:gal.sagie@gmail.com]
<br>
<b>Sent:</b> Wednesday, June 17, 2015 12:45 PM<br>
<b>To:</b> OpenStack Development Mailing List (not for usage questions)<br>
<b>Cc:</b> lionel.zerbib@huawei.com; Derek Chamorro (dechamor); Eran Gampel<br>
<b>Subject:</b> Re: [openstack-dev] [Neutron] [QOS] Request for Additional QoS capabilities<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">Hi John,<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">We were trying to push a very similar spec to enhance the security group API, we covered both DDoS case<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">and another use case for brute force prevention (We did a research to identify common protocols login behaviour<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">in order to identify brute force attacks using iptables) and even some UI work<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">You can view the specs and implementations here:<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1) <a href="https://review.openstack.org/#/c/184243/">https://review.openstack.org/#/c/184243/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) <a href="https://review.openstack.org/#/c/154535/">https://review.openstack.org/#/c/154535/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">3) <a href="https://review.openstack.org/#/c/151247/">https://review.openstack.org/#/c/151247/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">4) <a href="https://review.openstack.org/#/c/161207/">https://review.openstack.org/#/c/161207/</a><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">The spec didn't got approved as there is a strong opinion to keep the security group API compatible with Amazon.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">I think this and your request fits much more into the FWaaS and if this is something you would like to work together on and push<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">i can help and align the above code to use FWaaS.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Feel free to contact me if you have any question<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Thanks<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">Gal.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">On Wed, Jun 17, 2015 at 6:58 PM, John Joyce (joycej) <<a href="mailto:joycej@cisco.com" target="_blank">joycej@cisco.com</a>> wrote:<o:p></o:p></p>
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Hello everyone:
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> I would like to test the waters on some new functionality we think is needed to protect OpenStack deployments from some overload situations due to
an excessive user or DDOS scenario. We wrote this up in the style of an RFE. Please let us know your thoughts and we can proceed with a formal RFE with more detail if there are no concerns raised.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">*What is being requested*</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">This request is to extend the QOS APIs to include the ability to provide connection rate limiting
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">*Why is it being requested*</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">There are many scenarios where a VM may be intentionally malicious or become harmful to the network due to its rate of initializing TCP connections.
The reverse direction of a VM being attacked with an excessive amount of TCP connection requests either intentionally or due to overload is also problematic.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">*Implementation Choices</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black"> There might be a number of ways to implement this, but one of the easiest would appear to be to extend the APIs being developed under:
<a href="https://review.openstack.org/#/c/187513/" target="_blank">https://review.openstack.org/#/c/187513/</a></span><span style="color:#1F497D">.
</span><span style="color:black">An additional rule type “connections per-second” could be added.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">The dataplane implementation itself may be realized with netfilter and conntrack.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">*Alternatives</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">It would be possible to extend the security groups in a similar fashion, but due to the addition of rate limiting, QoS seems a more nature fit.
</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">*Who needs it*</span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><span style="color:black">Cloud operators have experienced this issue in real deployments in a number of cases. </span><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" target="_blank">
OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><o:p></o:p></p>
</div>
<p class="MsoNormal"><br>
<br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<p class="MsoNormal">Best Regards ,<br>
<br>
The G. <o:p></o:p></p>
</div>
</div>
</div>
</body>
</html>